SlideShare une entreprise Scribd logo

Montana-Paula-Krecicki

Daniel Paula
Daniel Paula
1  sur  4
Télécharger pour lire hors ligne
September 2013 The RMA Journal28 OPERATIONALRISK September 2013 The RMA Journal28
September 2013 The RMA Journal 29 Here are six steps to ensuring that your firm’s approach to policy management is improving risk mitigation while meeting stakeholder needs. by Greg Montana, Daniel Paula, and Jane Krecicki iStockphoto/Thinkstock Since the financial crisis of 2007-09, much has been written about the importance of a strong risk management function capable of challenging front-line business units within financial services firms. Since the crisis, many of these firms have focused on expanding and improving their internal risk management functions, and many have made significant progress. Risk management is in the spotlight, as indicated by U.S. Comptroller of the Currency Thomas Curry, who stated that operational risk is now the most important determinant of a financial institution’s robustness and stability, replacing credit risk as the major safety and soundness challenge for national banks.1 It is axiomatic that enterprise policy management should be a vital part of an effective risk management program, and there is strong evidence that banks and other financial institutions have focused on this aspect in efforts to improve their risk programs. Nonethe- less, for policy management to have a sustainable impact, risk managers should follow a set of leading practices and make sure to give those practices ongoing attention and maintenance. This article will discuss the art of risk mitigation through sustainable policy management practices. It will identify key stakeholders and their interests and propose leading practices for the financial services industry as it deals with the aftermath of the financial crisis. Six Leading Practices in Policy Management A properly structured policy management program adds value to all stakeholders of a Importance Sustainable Policy Management in Delivering an Effective Risk Program The of
September 2013 The RMA Journal30 financial services firm. These include internal stakeholders, such as employees, executive management, and the board, as well as external stakeholders, such as clients, auditors, and regulators. Employees want clear, easy-to-understand, and accessible policy documentation so they will know what is expected from them. Executive management and the board are interested in how well strategies and goals are being car- ried out through codified expectations in well-written cor- porate policies. Internal auditors and government regulators are interested in measuring policy adherence and in ensuring that policies meet regulatory and industry standards. Clients rightfully expect their financial institutions and vendors to have policies that protect their assets and sensitive data. Meeting all these expectations is at the heart of a strong enterprise policy management program. Based on experience in developing and leading policy management programs, the authors have observed these leading practices: 1Establish a policy office and define clear roles and responsibilities for the policy management process. Creating a policy office in effect creates a central function with clear authority for administrating the policy manage- ment program. The policy office should then define the roles and responsibilities for all other participants in the policy management program. Policy owners (or stewards) with the correct subject-matter expertise should be assigned to all policies and given accountability for authoring and maintaining them. Oversight and governance of the policy management framework should be centralized within the policy office to ensure that policy owners across the orga- nization are performing consistently. Responsibilities for compliance, implementation of policy requirements, and employee training should also be clearly articulated. Execu- tive management should not only be informed of all new policies, but be required to approve major policy changes as well as new material policies. The policy-approval pro- cess should be crystal clear. Any policy exceptions ought to be individually approved and monitored. Finally, the list of policy owners (or stewards) should be kept current. All changes should be formally approved on a regularly scheduled basis. 2Spend time on semantics because it matters. A consistent taxonomy is also a fundamental part of solving the policy management puzzle. A clear and concise working definition of a “policy,” a “standard,” a “procedure,” or a “guideline” should be documented and disseminated throughout the organization. Organizations should also consider developing training targeted at policy owners to ensure that corporate policy writing and maintenance ac- tivities are executed consistently. An organization’s central policy management team is perfectly positioned to work with policy owners to ensure that every policy meets consistent criteria. 3Centralize policy documentation and make it easy to find. Centralizing policies and making them easily acces- sible to employees are keys to sustaining a successful policy management program. Policies should not be dispersed but rather consolidated, maintained, and managed, ideally by using technological solutions to automate workflow and document management activities that ensure positive control over the content. Organizations should keep their policy inventory in a centralized location, subject to strong version control, functioning as the one-stop shop for all corpo- rate policy needs. This construct is helpful in avoiding the proliferation of user-defined intranet portals, which are outside the oversight of the central policy governance team. Automated tools can be used to configure search parameters and render policy documents to avoid confusion, simplify the user experience, and keep the content current. 4Measure to manage the program. With one central repository, metrics and reporting can be used to manage the quality and accuracy of the policy inventory. A simple yet helpful risk indicator is the percent- age of policy documents with past-due reviews, which measures Details/Depth BroaderImplications Policy What? Standard How? Guideline Best Practices
September 2013 The RMA Journal 31 the quality of the policy inventory. It can also be used as a forward-looking (predictive) in- dicator of poor compliance or audit ratings. The higher the percentage, the more likely your policy documentation is outdated and the less likely your business standards and employee practices are reflecting your policy. In a nutshell: Policies cannot afford to be out- dated. They must be reviewed and updated on a regular basis. The frequency of policy review and updating should be based on a simple, risk-based approach. Policies intended to cover the highest-risk practices should be reviewed and updated at least annually. The speed with which the regulatory landscape changes demands nothing less. In addition, policy management reporting should be incor- porated into overall governance routines such as line of business or corporate operational risk committees to give visibility on all policy activity as well as risk indicator levels. 5Train, train, train. Well-defined policy awareness training should be part of every company’s new-hire orientation program, covering at least the most important corporate policies. In addition, on an annual basis, a thematic analysis of recurring issues and control breakdowns should be performed to reveal any potential policy gaps and to yield insights into which policies might need to be disseminated to employees. More often than not, behind every control breakdown is a human being who did not make the right call at the right time. While human error cannot be completely avoided, adequate policy awareness training can be an effective mitigation strategy. The highly regulated airline industry, with its focus on rig- orous and ongoing safety training to ensure all employees are aware of policies and requirements, provides a good example for the financial services industry. When it comes to increasing employee awareness, the best practice is to have a single policy system that allows employees to see all of the policies that apply to their specific roles in the organization and to receive an automated notification of new or revised policies. 6Sign, attest, acknowledge, and track. Attestation and acknowledgment must be integral parts of policy management. Even putting the most sophisticated policies in place is not enough. Organizations must also be able to attest to the training they provide, as well as certify that their employees understand and agree to comply with corporate policies. Conclusion Heightened regulatory expectations and ongoing change in the financial services industry demand a more disciplined approach to managing corporate policies. This article pre- sented six policy management practices designed to improve risk mitigation while addressing what can often be complex stakeholder needs. Whether you are managing operational risk at a com- munity bank, a regional institution, a technology services provider, or a large bank, the challenges are similar. A consistent and structured enterprise policy management program is more than just collecting important documents and providing them when requested. It is about creating a lever that can be pulled to help reduce risk exposure, while enabling employees to understand their roles and perform their jobs more efficiently and effectively. v •• Greg Montana is executive vice president and CRO at FIS. He can be reached at greg.montana@fisglobal.com. Daniel Paula is senior vice president, risk management executive, and head of enterprise risk governance and policy at FIS. He can be reached at daniel.paula@fisglobal.com. Jane Krecicki, risk manager, leads the enterprise policy management program at FIS. She can be reached at Jane.Krecicki@FISGlobal.com. Notes 1 “‘An Extraordinary Thing’: OCC’s Curry Sees Operational Risk as Top Concern,” American Banker, May 16, 2012. Define and Communicate Boundaries and Expectations Communicate Expected Behavior Drive Compliance Enforcement and Guide Desired Behavior Establish Governance and Accountability Framework Protect the Organization Achieve Business Outcomes Policy Development and Approval Communicate, Train and Acknowledge Implement and Enforce Policy Measurement and Evaluation Policy Management Lifecycle

Recommandé

Strategically+Speaking+October+2015
Strategically+Speaking+October+2015Strategically+Speaking+October+2015
Strategically+Speaking+October+2015Andrew Smart
 
Managing Information Risk in Financial Services
Managing Information Risk in Financial Services Managing Information Risk in Financial Services
Managing Information Risk in Financial Services Andrew Smart
 
An industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsAn industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsGrant Thornton LLP
 
Policy Making by jenrap14
Policy Making by jenrap14Policy Making by jenrap14
Policy Making by jenrap14Jen Rapista
 
Risck intelligence in the energy and resources industry
Risck intelligence in the energy and resources industry Risck intelligence in the energy and resources industry
Risck intelligence in the energy and resources industry Franco Ferrario
 
FMM&A15-StratexSystems
FMM&A15-StratexSystemsFMM&A15-StratexSystems
FMM&A15-StratexSystemsAndrew Smart
 
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)Keith Darcy
 
Facilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaFacilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaHanaysha
 

Recommandé

Strategically+Speaking+October+2015
Strategically+Speaking+October+2015Strategically+Speaking+October+2015
Strategically+Speaking+October+2015Andrew Smart
 
Managing Information Risk in Financial Services
Managing Information Risk in Financial Services Managing Information Risk in Financial Services
Managing Information Risk in Financial Services Andrew Smart
 
An industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsAn industrial approach to risk and control self-assessments
An industrial approach to risk and control self-assessmentsGrant Thornton LLP
 
Policy Making by jenrap14
Policy Making by jenrap14Policy Making by jenrap14
Policy Making by jenrap14Jen Rapista
 
Risck intelligence in the energy and resources industry
Risck intelligence in the energy and resources industry Risck intelligence in the energy and resources industry
Risck intelligence in the energy and resources industry Franco Ferrario
 
FMM&A15-StratexSystems
FMM&A15-StratexSystemsFMM&A15-StratexSystems
FMM&A15-StratexSystemsAndrew Smart
 
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)Keith Darcy
 
Facilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaFacilitated Risk Analysis Process - Tareq Hanaysha
Facilitated Risk Analysis Process - Tareq HanayshaHanaysha
 
Chris Gould - BCM case
Chris Gould - BCM caseChris Gould - BCM case
Chris Gould - BCM caseAlexey Chekanov
 
The Legal Issues Of Strategic Information Management
The Legal Issues Of Strategic Information ManagementThe Legal Issues Of Strategic Information Management
The Legal Issues Of Strategic Information Managementkmortens
 
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...WolfPAC - Integrated Risk Management
 
Presentation Makes the Case for Enterprise Risk Management
Presentation Makes the Case for Enterprise Risk ManagementPresentation Makes the Case for Enterprise Risk Management
Presentation Makes the Case for Enterprise Risk ManagementPYA, P.C.
 
Risk Management And Internal Control In The Changing Econmic Landscape
Risk Management And Internal Control In The Changing Econmic LandscapeRisk Management And Internal Control In The Changing Econmic Landscape
Risk Management And Internal Control In The Changing Econmic LandscapeNik Hasyudeen
 
Integrated_GRC
Integrated_GRCIntegrated_GRC
Integrated_GRCMarco Villacorta Olano
 
Enterprise Project and Portfolio Management: Managing the Revolution
Enterprise Project and Portfolio Management: Managing the RevolutionEnterprise Project and Portfolio Management: Managing the Revolution
Enterprise Project and Portfolio Management: Managing the RevolutionUMT
 
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...DVV Solutions Third Party Risk Management
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
HIRimsISO311KandERMFINAL
HIRimsISO311KandERMFINALHIRimsISO311KandERMFINAL
HIRimsISO311KandERMFINALChris Mandel, RF, ARM-E
 
1307526415145 corporate strategy--andrews
1307526415145 corporate strategy--andrews1307526415145 corporate strategy--andrews
1307526415145 corporate strategy--andrewsKushal Mishra
 
Ben Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROI
Ben Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROIBen Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROI
Ben Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROIUMT
 
SPE Paper ARMS Ltd
SPE Paper ARMS LtdSPE Paper ARMS Ltd
SPE Paper ARMS LtdJohn Tucker
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementPYA, P.C.
 
PrinciplesBasedApprochtoCPM
PrinciplesBasedApprochtoCPMPrinciplesBasedApprochtoCPM
PrinciplesBasedApprochtoCPMJoseph Alenchery
 
Insights on grc grc technology au1488
Insights on grc grc technology au1488Insights on grc grc technology au1488
Insights on grc grc technology au1488Ashwin Kumar
 
Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...
Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...
Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...UMT
 
theprinciplesmaturitymodel
theprinciplesmaturitymodeltheprinciplesmaturitymodel
theprinciplesmaturitymodelDavid Vickers
 
Lecture strategic management control
Lecture strategic management controlLecture strategic management control
Lecture strategic management controlLulea University of Technology
 
Human Capital Trends in the Insurance Industry
Human Capital Trends in the Insurance IndustryHuman Capital Trends in the Insurance Industry
Human Capital Trends in the Insurance IndustryRon Arigo
 
Whitepaper ISO41001: 2018 (English)
Whitepaper ISO41001: 2018 (English)Whitepaper ISO41001: 2018 (English)
Whitepaper ISO41001: 2018 (English)Ian van der Pool MFM CFM
 
ERM Evolving From Risk Assessment to Strategic RiskManageme.docx
ERM Evolving From Risk Assessment to Strategic RiskManageme.docxERM Evolving From Risk Assessment to Strategic RiskManageme.docx
ERM Evolving From Risk Assessment to Strategic RiskManageme.docxrusselldayna
 

Contenu connexe

Tendances

The Legal Issues Of Strategic Information Management
The Legal Issues Of Strategic Information ManagementThe Legal Issues Of Strategic Information Management
The Legal Issues Of Strategic Information Managementkmortens
 
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...WolfPAC - Integrated Risk Management
 
Presentation Makes the Case for Enterprise Risk Management
Presentation Makes the Case for Enterprise Risk ManagementPresentation Makes the Case for Enterprise Risk Management
Presentation Makes the Case for Enterprise Risk ManagementPYA, P.C.
 
Risk Management And Internal Control In The Changing Econmic Landscape
Risk Management And Internal Control In The Changing Econmic LandscapeRisk Management And Internal Control In The Changing Econmic Landscape
Risk Management And Internal Control In The Changing Econmic LandscapeNik Hasyudeen
 
Enterprise Project and Portfolio Management: Managing the Revolution
Enterprise Project and Portfolio Management: Managing the RevolutionEnterprise Project and Portfolio Management: Managing the Revolution
Enterprise Project and Portfolio Management: Managing the RevolutionUMT
 
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...DVV Solutions Third Party Risk Management
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesCorporater
 
1307526415145 corporate strategy--andrews
1307526415145 corporate strategy--andrews1307526415145 corporate strategy--andrews
1307526415145 corporate strategy--andrewsKushal Mishra
 
Ben Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROI
Ben Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROIBen Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROI
Ben Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROIUMT
 
SPE Paper ARMS Ltd
SPE Paper ARMS LtdSPE Paper ARMS Ltd
SPE Paper ARMS LtdJohn Tucker
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementPYA, P.C.
 
PrinciplesBasedApprochtoCPM
PrinciplesBasedApprochtoCPMPrinciplesBasedApprochtoCPM
PrinciplesBasedApprochtoCPMJoseph Alenchery
 
Insights on grc grc technology au1488
Insights on grc grc technology au1488Insights on grc grc technology au1488
Insights on grc grc technology au1488Ashwin Kumar
 
Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...
Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...
Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...UMT
 
theprinciplesmaturitymodel
theprinciplesmaturitymodeltheprinciplesmaturitymodel
theprinciplesmaturitymodelDavid Vickers
 

Tendances (19)

Chris Gould - BCM case
Chris Gould - BCM caseChris Gould - BCM case
Chris Gould - BCM case
 
The Legal Issues Of Strategic Information Management
The Legal Issues Of Strategic Information ManagementThe Legal Issues Of Strategic Information Management
The Legal Issues Of Strategic Information Management
 
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
 
Presentation Makes the Case for Enterprise Risk Management
Presentation Makes the Case for Enterprise Risk ManagementPresentation Makes the Case for Enterprise Risk Management
Presentation Makes the Case for Enterprise Risk Management
 
Risk Management And Internal Control In The Changing Econmic Landscape
Risk Management And Internal Control In The Changing Econmic LandscapeRisk Management And Internal Control In The Changing Econmic Landscape
Risk Management And Internal Control In The Changing Econmic Landscape
 
Integrated_GRC
Integrated_GRCIntegrated_GRC
Integrated_GRC
 
Enterprise Project and Portfolio Management: Managing the Revolution
Enterprise Project and Portfolio Management: Managing the RevolutionEnterprise Project and Portfolio Management: Managing the Revolution
Enterprise Project and Portfolio Management: Managing the Revolution
 
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
DVV Solutions Central Bank of Ireland Outsourcing discussion paper response 1...
 
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment QuestionnairesThird-Party Risk Management (TPRM) | Risk Assessment Questionnaires
Third-Party Risk Management (TPRM) | Risk Assessment Questionnaires
 
HIRimsISO311KandERMFINAL
HIRimsISO311KandERMFINALHIRimsISO311KandERMFINAL
HIRimsISO311KandERMFINAL
 
1307526415145 corporate strategy--andrews
1307526415145 corporate strategy--andrews1307526415145 corporate strategy--andrews
1307526415145 corporate strategy--andrews
 
Ben Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROI
Ben Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROIBen Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROI
Ben Chamberlain, UMT360: PPM + Financial Intelligence = Greater ROI
 
SPE Paper ARMS Ltd
SPE Paper ARMS LtdSPE Paper ARMS Ltd
SPE Paper ARMS Ltd
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
PrinciplesBasedApprochtoCPM
PrinciplesBasedApprochtoCPMPrinciplesBasedApprochtoCPM
PrinciplesBasedApprochtoCPM
 
Insights on grc grc technology au1488
Insights on grc grc technology au1488Insights on grc grc technology au1488
Insights on grc grc technology au1488
 
Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...
Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...
Tricks of the Transformation Trade: Disruptive Disintermediation, Agility Age...
 
theprinciplesmaturitymodel
theprinciplesmaturitymodeltheprinciplesmaturitymodel
theprinciplesmaturitymodel
 
Lecture strategic management control
Lecture strategic management controlLecture strategic management control
Lecture strategic management control
 

Similaire à Montana-Paula-Krecicki

Human Capital Trends in the Insurance Industry
Human Capital Trends in the Insurance IndustryHuman Capital Trends in the Insurance Industry
Human Capital Trends in the Insurance IndustryRon Arigo
 
ERM Evolving From Risk Assessment to Strategic RiskManageme.docx
ERM Evolving From Risk Assessment to Strategic RiskManageme.docxERM Evolving From Risk Assessment to Strategic RiskManageme.docx
ERM Evolving From Risk Assessment to Strategic RiskManageme.docxrusselldayna
 
EXL_WP_Chief_Growth_Officer_-_a_new_role_for_todays_CFO.pdf
EXL_WP_Chief_Growth_Officer_-_a_new_role_for_todays_CFO.pdfEXL_WP_Chief_Growth_Officer_-_a_new_role_for_todays_CFO.pdf
EXL_WP_Chief_Growth_Officer_-_a_new_role_for_todays_CFO.pdfjaribuz
 
Technology Implementation Paper
Technology Implementation PaperTechnology Implementation Paper
Technology Implementation PaperDeb Birch
 
StratexSystems_270115
StratexSystems_270115StratexSystems_270115
StratexSystems_270115Andrew Smart
 
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxDISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxmadlynplamondon
 
Enterprise Risk Management Integrating with Strategy and Per
Enterprise Risk Management Integrating with Strategy and PerEnterprise Risk Management Integrating with Strategy and Per
Enterprise Risk Management Integrating with Strategy and PerTanaMaeskm
 
Why Healthcare CFOs Do Not Need to Struggle with the New Lease Accounting Sta...
Why Healthcare CFOs Do Not Need to Struggle with the New Lease Accounting Sta...Why Healthcare CFOs Do Not Need to Struggle with the New Lease Accounting Sta...
Why Healthcare CFOs Do Not Need to Struggle with the New Lease Accounting Sta...Healthcare Network marcus evans
 
7 Key Elements Of An Enterprise Risk Management Program
7 Key Elements Of An Enterprise Risk Management Program7 Key Elements Of An Enterprise Risk Management Program
7 Key Elements Of An Enterprise Risk Management ProgramAlicia Edwards
 
DEFINITION.docx
DEFINITION.docxDEFINITION.docx
DEFINITION.docxAbdetaImi
 
Chapter 101. Describe the concepts and models of plann.docx
Chapter 101. Describe the concepts and models of plann.docxChapter 101. Describe the concepts and models of plann.docx
Chapter 101. Describe the concepts and models of plann.docxcravennichole326
 
CCAR & DFAST: How to incorporate stress testing into banking operations + str...
CCAR & DFAST: How to incorporate stress testing into banking operations + str...CCAR & DFAST: How to incorporate stress testing into banking operations + str...
CCAR & DFAST: How to incorporate stress testing into banking operations + str...Grant Thornton LLP
 
Discussion- 11. How does efficient frontier analysis (EFA) dif.docx
Discussion- 11. How does efficient frontier analysis (EFA) dif.docxDiscussion- 11. How does efficient frontier analysis (EFA) dif.docx
Discussion- 11. How does efficient frontier analysis (EFA) dif.docxmadlynplamondon
 
Healthcare Business Continuity Planning - BCP
Healthcare Business Continuity Planning - BCPHealthcare Business Continuity Planning - BCP
Healthcare Business Continuity Planning - BCPMohammed Al Ayoubi
 
The process of strategic planning
The process of strategic planning The process of strategic planning
The process of strategic planning crfs2211
 

Similaire à Montana-Paula-Krecicki (20)

Human Capital Trends in the Insurance Industry
Human Capital Trends in the Insurance IndustryHuman Capital Trends in the Insurance Industry
Human Capital Trends in the Insurance Industry
 
Whitepaper ISO41001: 2018 (English)
Whitepaper ISO41001: 2018 (English)Whitepaper ISO41001: 2018 (English)
Whitepaper ISO41001: 2018 (English)
 
ERM Evolving From Risk Assessment to Strategic RiskManageme.docx
ERM Evolving From Risk Assessment to Strategic RiskManageme.docxERM Evolving From Risk Assessment to Strategic RiskManageme.docx
ERM Evolving From Risk Assessment to Strategic RiskManageme.docx
 
EXL_WP_Chief_Growth_Officer_-_a_new_role_for_todays_CFO.pdf
EXL_WP_Chief_Growth_Officer_-_a_new_role_for_todays_CFO.pdfEXL_WP_Chief_Growth_Officer_-_a_new_role_for_todays_CFO.pdf
EXL_WP_Chief_Growth_Officer_-_a_new_role_for_todays_CFO.pdf
 
Cost Cutting Strategies
Cost Cutting StrategiesCost Cutting Strategies
Cost Cutting Strategies
 
Technology Implementation Paper
Technology Implementation PaperTechnology Implementation Paper
Technology Implementation Paper
 
StratexSystems_270115
StratexSystems_270115StratexSystems_270115
StratexSystems_270115
 
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxDISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
 
Enterprise Risk Management Integrating with Strategy and Per
Enterprise Risk Management Integrating with Strategy and PerEnterprise Risk Management Integrating with Strategy and Per
Enterprise Risk Management Integrating with Strategy and Per
 
Why Healthcare CFOs Do Not Need to Struggle with the New Lease Accounting Sta...
Why Healthcare CFOs Do Not Need to Struggle with the New Lease Accounting Sta...Why Healthcare CFOs Do Not Need to Struggle with the New Lease Accounting Sta...
Why Healthcare CFOs Do Not Need to Struggle with the New Lease Accounting Sta...
 
7 Key Elements Of An Enterprise Risk Management Program
7 Key Elements Of An Enterprise Risk Management Program7 Key Elements Of An Enterprise Risk Management Program
7 Key Elements Of An Enterprise Risk Management Program
 
DEFINITION.docx
DEFINITION.docxDEFINITION.docx
DEFINITION.docx
 
Chapter 101. Describe the concepts and models of plann.docx
Chapter 101. Describe the concepts and models of plann.docxChapter 101. Describe the concepts and models of plann.docx
Chapter 101. Describe the concepts and models of plann.docx
 
How to Write Good Policies
How to Write Good PoliciesHow to Write Good Policies
How to Write Good Policies
 
CCAR & DFAST: How to incorporate stress testing into banking operations + str...
CCAR & DFAST: How to incorporate stress testing into banking operations + str...CCAR & DFAST: How to incorporate stress testing into banking operations + str...
CCAR & DFAST: How to incorporate stress testing into banking operations + str...
 
Bhert Presentation 4 Aug 1 J Purcell
Bhert Presentation 4 Aug 1 J PurcellBhert Presentation 4 Aug 1 J Purcell
Bhert Presentation 4 Aug 1 J Purcell
 
Discussion- 11. How does efficient frontier analysis (EFA) dif.docx
Discussion- 11. How does efficient frontier analysis (EFA) dif.docxDiscussion- 11. How does efficient frontier analysis (EFA) dif.docx
Discussion- 11. How does efficient frontier analysis (EFA) dif.docx
 
Healthcare Business Continuity Planning - BCP
Healthcare Business Continuity Planning - BCPHealthcare Business Continuity Planning - BCP
Healthcare Business Continuity Planning - BCP
 
All articles
All articlesAll articles
All articles
 
The process of strategic planning
The process of strategic planning The process of strategic planning
The process of strategic planning
 

Montana-Paula-Krecicki

  • 1. September 2013 The RMA Journal28 OPERATIONALRISK September 2013 The RMA Journal28
  • 2. September 2013 The RMA Journal 29 Here are six steps to ensuring that your firm’s approach to policy management is improving risk mitigation while meeting stakeholder needs. by Greg Montana, Daniel Paula, and Jane Krecicki iStockphoto/Thinkstock Since the financial crisis of 2007-09, much has been written about the importance of a strong risk management function capable of challenging front-line business units within financial services firms. Since the crisis, many of these firms have focused on expanding and improving their internal risk management functions, and many have made significant progress. Risk management is in the spotlight, as indicated by U.S. Comptroller of the Currency Thomas Curry, who stated that operational risk is now the most important determinant of a financial institution’s robustness and stability, replacing credit risk as the major safety and soundness challenge for national banks.1 It is axiomatic that enterprise policy management should be a vital part of an effective risk management program, and there is strong evidence that banks and other financial institutions have focused on this aspect in efforts to improve their risk programs. Nonethe- less, for policy management to have a sustainable impact, risk managers should follow a set of leading practices and make sure to give those practices ongoing attention and maintenance. This article will discuss the art of risk mitigation through sustainable policy management practices. It will identify key stakeholders and their interests and propose leading practices for the financial services industry as it deals with the aftermath of the financial crisis. Six Leading Practices in Policy Management A properly structured policy management program adds value to all stakeholders of a Importance Sustainable Policy Management in Delivering an Effective Risk Program The of
  • 3. September 2013 The RMA Journal30 financial services firm. These include internal stakeholders, such as employees, executive management, and the board, as well as external stakeholders, such as clients, auditors, and regulators. Employees want clear, easy-to-understand, and accessible policy documentation so they will know what is expected from them. Executive management and the board are interested in how well strategies and goals are being car- ried out through codified expectations in well-written cor- porate policies. Internal auditors and government regulators are interested in measuring policy adherence and in ensuring that policies meet regulatory and industry standards. Clients rightfully expect their financial institutions and vendors to have policies that protect their assets and sensitive data. Meeting all these expectations is at the heart of a strong enterprise policy management program. Based on experience in developing and leading policy management programs, the authors have observed these leading practices: 1Establish a policy office and define clear roles and responsibilities for the policy management process. Creating a policy office in effect creates a central function with clear authority for administrating the policy manage- ment program. The policy office should then define the roles and responsibilities for all other participants in the policy management program. Policy owners (or stewards) with the correct subject-matter expertise should be assigned to all policies and given accountability for authoring and maintaining them. Oversight and governance of the policy management framework should be centralized within the policy office to ensure that policy owners across the orga- nization are performing consistently. Responsibilities for compliance, implementation of policy requirements, and employee training should also be clearly articulated. Execu- tive management should not only be informed of all new policies, but be required to approve major policy changes as well as new material policies. The policy-approval pro- cess should be crystal clear. Any policy exceptions ought to be individually approved and monitored. Finally, the list of policy owners (or stewards) should be kept current. All changes should be formally approved on a regularly scheduled basis. 2Spend time on semantics because it matters. A consistent taxonomy is also a fundamental part of solving the policy management puzzle. A clear and concise working definition of a “policy,” a “standard,” a “procedure,” or a “guideline” should be documented and disseminated throughout the organization. Organizations should also consider developing training targeted at policy owners to ensure that corporate policy writing and maintenance ac- tivities are executed consistently. An organization’s central policy management team is perfectly positioned to work with policy owners to ensure that every policy meets consistent criteria. 3Centralize policy documentation and make it easy to find. Centralizing policies and making them easily acces- sible to employees are keys to sustaining a successful policy management program. Policies should not be dispersed but rather consolidated, maintained, and managed, ideally by using technological solutions to automate workflow and document management activities that ensure positive control over the content. Organizations should keep their policy inventory in a centralized location, subject to strong version control, functioning as the one-stop shop for all corpo- rate policy needs. This construct is helpful in avoiding the proliferation of user-defined intranet portals, which are outside the oversight of the central policy governance team. Automated tools can be used to configure search parameters and render policy documents to avoid confusion, simplify the user experience, and keep the content current. 4Measure to manage the program. With one central repository, metrics and reporting can be used to manage the quality and accuracy of the policy inventory. A simple yet helpful risk indicator is the percent- age of policy documents with past-due reviews, which measures Details/Depth BroaderImplications Policy What? Standard How? Guideline Best Practices
  • 4. September 2013 The RMA Journal 31 the quality of the policy inventory. It can also be used as a forward-looking (predictive) in- dicator of poor compliance or audit ratings. The higher the percentage, the more likely your policy documentation is outdated and the less likely your business standards and employee practices are reflecting your policy. In a nutshell: Policies cannot afford to be out- dated. They must be reviewed and updated on a regular basis. The frequency of policy review and updating should be based on a simple, risk-based approach. Policies intended to cover the highest-risk practices should be reviewed and updated at least annually. The speed with which the regulatory landscape changes demands nothing less. In addition, policy management reporting should be incor- porated into overall governance routines such as line of business or corporate operational risk committees to give visibility on all policy activity as well as risk indicator levels. 5Train, train, train. Well-defined policy awareness training should be part of every company’s new-hire orientation program, covering at least the most important corporate policies. In addition, on an annual basis, a thematic analysis of recurring issues and control breakdowns should be performed to reveal any potential policy gaps and to yield insights into which policies might need to be disseminated to employees. More often than not, behind every control breakdown is a human being who did not make the right call at the right time. While human error cannot be completely avoided, adequate policy awareness training can be an effective mitigation strategy. The highly regulated airline industry, with its focus on rig- orous and ongoing safety training to ensure all employees are aware of policies and requirements, provides a good example for the financial services industry. When it comes to increasing employee awareness, the best practice is to have a single policy system that allows employees to see all of the policies that apply to their specific roles in the organization and to receive an automated notification of new or revised policies. 6Sign, attest, acknowledge, and track. Attestation and acknowledgment must be integral parts of policy management. Even putting the most sophisticated policies in place is not enough. Organizations must also be able to attest to the training they provide, as well as certify that their employees understand and agree to comply with corporate policies. Conclusion Heightened regulatory expectations and ongoing change in the financial services industry demand a more disciplined approach to managing corporate policies. This article pre- sented six policy management practices designed to improve risk mitigation while addressing what can often be complex stakeholder needs. Whether you are managing operational risk at a com- munity bank, a regional institution, a technology services provider, or a large bank, the challenges are similar. A consistent and structured enterprise policy management program is more than just collecting important documents and providing them when requested. It is about creating a lever that can be pulled to help reduce risk exposure, while enabling employees to understand their roles and perform their jobs more efficiently and effectively. v •• Greg Montana is executive vice president and CRO at FIS. He can be reached at greg.montana@fisglobal.com. Daniel Paula is senior vice president, risk management executive, and head of enterprise risk governance and policy at FIS. He can be reached at daniel.paula@fisglobal.com. Jane Krecicki, risk manager, leads the enterprise policy management program at FIS. She can be reached at Jane.Krecicki@FISGlobal.com. Notes 1 “‘An Extraordinary Thing’: OCC’s Curry Sees Operational Risk as Top Concern,” American Banker, May 16, 2012. Define and Communicate Boundaries and Expectations Communicate Expected Behavior Drive Compliance Enforcement and Guide Desired Behavior Establish Governance and Accountability Framework Protect the Organization Achieve Business Outcomes Policy Development and Approval Communicate, Train and Acknowledge Implement and Enforce Policy Measurement and Evaluation Policy Management Lifecycle